Skip to content

Commit b4d3f41

Browse files
author
Atanas Chuchev
committed
Merge branch 'feature/ESO_Patch' of https://github.com/EldarShalev/jetstack-secure into feature/ESO_Patch
2 parents 83fe854 + ad67d6e commit b4d3f41

11 files changed

Lines changed: 357 additions & 7 deletions

File tree

deploy/charts/disco-agent/templates/configmap.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -136,12 +136,12 @@ data:
136136
config:
137137
resource-type:
138138
group: external-secrets.io
139-
version: v1
139+
version: v1beta1
140140
resource: clusterexternalsecrets
141141
- kind: k8s-dynamic
142142
name: ark/clustersecretstores
143143
config:
144144
resource-type:
145145
group: external-secrets.io
146-
version: v1
146+
version: v1beta1
147147
resource: clustersecretstores

deploy/charts/disco-agent/tests/__snapshot__/configmap_test.yaml.snap

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -119,6 +119,20 @@ custom-cluster-description:
119119
group: external-secrets.io
120120
version: v1
121121
resource: secretstores
122+
- kind: k8s-dynamic
123+
name: ark/clusterexternalsecrets
124+
config:
125+
resource-type:
126+
group: external-secrets.io
127+
version: v1beta1
128+
resource: clusterexternalsecrets
129+
- kind: k8s-dynamic
130+
name: ark/clustersecretstores
131+
config:
132+
resource-type:
133+
group: external-secrets.io
134+
version: v1beta1
135+
resource: clustersecretstores
122136
kind: ConfigMap
123137
metadata:
124138
labels:
@@ -250,6 +264,20 @@ custom-cluster-name:
250264
group: external-secrets.io
251265
version: v1
252266
resource: secretstores
267+
- kind: k8s-dynamic
268+
name: ark/clusterexternalsecrets
269+
config:
270+
resource-type:
271+
group: external-secrets.io
272+
version: v1beta1
273+
resource: clusterexternalsecrets
274+
- kind: k8s-dynamic
275+
name: ark/clustersecretstores
276+
config:
277+
resource-type:
278+
group: external-secrets.io
279+
version: v1beta1
280+
resource: clustersecretstores
253281
kind: ConfigMap
254282
metadata:
255283
labels:
@@ -381,6 +409,20 @@ custom-period:
381409
group: external-secrets.io
382410
version: v1
383411
resource: secretstores
412+
- kind: k8s-dynamic
413+
name: ark/clusterexternalsecrets
414+
config:
415+
resource-type:
416+
group: external-secrets.io
417+
version: v1beta1
418+
resource: clusterexternalsecrets
419+
- kind: k8s-dynamic
420+
name: ark/clustersecretstores
421+
config:
422+
resource-type:
423+
group: external-secrets.io
424+
version: v1beta1
425+
resource: clustersecretstores
384426
kind: ConfigMap
385427
metadata:
386428
labels:
@@ -512,6 +554,20 @@ defaults:
512554
group: external-secrets.io
513555
version: v1
514556
resource: secretstores
557+
- kind: k8s-dynamic
558+
name: ark/clusterexternalsecrets
559+
config:
560+
resource-type:
561+
group: external-secrets.io
562+
version: v1beta1
563+
resource: clusterexternalsecrets
564+
- kind: k8s-dynamic
565+
name: ark/clustersecretstores
566+
config:
567+
resource-type:
568+
group: external-secrets.io
569+
version: v1beta1
570+
resource: clustersecretstores
515571
kind: ConfigMap
516572
metadata:
517573
labels:

examples/machinehub.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -158,3 +158,20 @@ data-gatherers:
158158
version: v1
159159
resource: secretstores
160160

161+
# Gather External Secrets Operator ClusterExternalSecret resources
162+
- name: ark/clusterexternalsecrets
163+
kind: k8s-dynamic
164+
config:
165+
resource-type:
166+
group: external-secrets.io
167+
version: v1beta1
168+
resource: clusterexternalsecrets
169+
170+
# Gather External Secrets Operator ClusterSecretStore resources
171+
- name: ark/clustersecretstores
172+
kind: k8s-dynamic
173+
config:
174+
resource-type:
175+
group: external-secrets.io
176+
version: v1beta1
177+
resource: clustersecretstores

examples/machinehub/input.json

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -171,5 +171,17 @@
171171
"data": {
172172
"items": []
173173
}
174+
},
175+
{
176+
"data-gatherer": "ark/clusterexternalsecrets",
177+
"data": {
178+
"items": []
179+
}
180+
},
181+
{
182+
"data-gatherer": "ark/clustersecretstores",
183+
"data": {
184+
"items": []
185+
}
174186
}
175187
]
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Sample ClusterExternalSecret for e2e testing
2+
# This is a minimal ClusterExternalSecret CR that will be discovered by the agent.
3+
# This is a cluster-scoped resource that can create ExternalSecrets in multiple namespaces.
4+
apiVersion: external-secrets.io/v1beta1
5+
kind: ClusterExternalSecret
6+
metadata:
7+
name: e2e-test-cluster-external-secret
8+
labels:
9+
app.kubernetes.io/name: e2e-test
10+
app.kubernetes.io/component: cluster-external-secret
11+
spec:
12+
refreshInterval: 1h
13+
externalSecretSpec:
14+
secretStoreRef:
15+
name: e2e-test-cluster-secret-store
16+
kind: ClusterSecretStore
17+
target:
18+
name: e2e-test-synced-secret
19+
creationPolicy: Owner
20+
data:
21+
- secretKey: example-key
22+
remoteRef:
23+
key: dummy/path/to/secret
24+
property: password
25+
namespaceSelector:
26+
matchLabels:
27+
environment: test

hack/ark/cluster-secret-store.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# Sample ClusterSecretStore for e2e testing
2+
# This is a minimal ClusterSecretStore CR that will be discovered by the agent.
3+
# This is a cluster-scoped resource that can be referenced by ExternalSecrets in any namespace.
4+
apiVersion: external-secrets.io/v1beta1
5+
kind: ClusterSecretStore
6+
metadata:
7+
name: e2e-test-cluster-secret-store
8+
labels:
9+
app.kubernetes.io/name: e2e-test
10+
app.kubernetes.io/component: cluster-secret-store
11+
spec:
12+
provider:
13+
# Fake provider configuration - this won't actually work but allows the CR to be created
14+
fake:
15+
data:
16+
- key: dummy/path/to/secret
17+
value: dummy-value
18+
version: "1"

hack/ark/test-e2e.sh

Lines changed: 17 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -80,12 +80,24 @@ kubectl create secret generic e2e-sample-secret-$(date '+%s') \
8080
# in the ark/configmaps data gatherer (conjur.org/name=conjur-connect-configmap).
8181
kubectl apply -f "${root_dir}/hack/ark/conjur-connect-configmap.yaml"
8282

83-
# Create sample External Secrets Operator resources that will be discovered by the agent
83+
# Install External Secrets Operator CRDs and controller
8484
#
85-
# These require the ESO CRDs to be installed in the cluster. If the CRDs are not
86-
# installed, these commands will fail but the e2e test can still proceed.
87-
kubectl apply -f "${root_dir}/hack/ark/secret-store.yaml" || echo "Warning: SecretStore CRD not installed, skipping"
88-
kubectl apply -f "${root_dir}/hack/ark/external-secret.yaml" || echo "Warning: ExternalSecret CRD not installed, skipping"
85+
# This is required for the agent to discover ExternalSecret and SecretStore resources.
86+
echo "Installing External Secrets Operator..."
87+
helm repo add external-secrets https://charts.external-secrets.io
88+
helm repo update
89+
helm upgrade --install external-secrets \
90+
external-secrets/external-secrets \
91+
--namespace external-secrets-system \
92+
--create-namespace \
93+
--wait \
94+
--set installCRDs=true
95+
96+
# Create sample External Secrets Operator resources that will be discovered by the agent
97+
kubectl apply -f "${root_dir}/hack/ark/secret-store.yaml"
98+
kubectl apply -f "${root_dir}/hack/ark/external-secret.yaml"
99+
kubectl apply -f "${root_dir}/hack/ark/cluster-secret-store.yaml"
100+
kubectl apply -f "${root_dir}/hack/ark/cluster-external-secret.yaml"
89101

90102
# We use a non-existent tag and omit the `--version` flag, to work around a Helm
91103
# v4 bug. See: https://github.com/helm/helm/issues/31600

internal/cyberark/dataupload/dataupload.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,10 @@ type Snapshot struct {
7777
ExternalSecrets []runtime.Object `json:"externalsecrets"`
7878
// SecretStores is a list of SecretStore resources in the cluster.
7979
SecretStores []runtime.Object `json:"secretstores"`
80+
// ClusterExternalSecrets is a list of ClusterExternalSecret resources in the cluster.
81+
ClusterExternalSecrets []runtime.Object `json:"clusterexternalsecrets"`
82+
// ClusterSecretStores is a list of ClusterSecretStore resources in the cluster.
83+
ClusterSecretStores []runtime.Object `json:"clustersecretstores"`
8084
// Roles is a list of Role resources in the cluster.
8185
Roles []runtime.Object `json:"roles"`
8286
// ClusterRoles is a list of ClusterRole resources in the cluster.

pkg/client/client_cyberark.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -227,6 +227,12 @@ var defaultExtractorFunctions = map[string]func(*api.DataReading, *dataupload.Sn
227227
"ark/secretstores": func(r *api.DataReading, s *dataupload.Snapshot) error {
228228
return extractResourceListFromReading(r, &s.SecretStores)
229229
},
230+
"ark/clusterexternalsecrets": func(r *api.DataReading, s *dataupload.Snapshot) error {
231+
return extractResourceListFromReading(r, &s.ClusterExternalSecrets)
232+
},
233+
"ark/clustersecretstores": func(r *api.DataReading, s *dataupload.Snapshot) error {
234+
return extractResourceListFromReading(r, &s.ClusterSecretStores)
235+
},
230236
}
231237

232238
// convertDataReadings processes a list of DataReadings using the provided

0 commit comments

Comments
 (0)